Chapter 17 - 02 - Determine Baseline Traffic Signatures for Normal and Suspicious Network Traffic_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Module Flow

Understand the Need and Advantages
of Network Traffic Monitoring

Determine Baseline Traffic Signatures for
Normal and Suspicious Network Traffic

Perform Network Monitoring
for Suspicious Traffic

Determine Baseline Traffic Signatures for Normal and Suspicious
Network Traffic
The objective of this section is to explain the various types of network traffic signatures and the
concept of baselining normal traffic signatures. It describes the categories of suspicious
network traffic signatures and attack signature analysis techniques.

Module 17 Page 2031 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Network Traffic Signatures

&
O Asignature is a set of traffic characteristics such as a source/destination IP address, ports, @
Transmission Control Protocol (TCP) flags, packet length, time to live (TTL), and protocols
O Signatures are used to define the type of activity on a network R

Types of Signatures

Normal Traffic Signature J
” Attack Signatures

» Acceptable traffic patterns » Suspicious traffic patterns not
allowed to enter the network allowed to enter the network

All Rights Reserved. Reproduction
Is Strictly Prohibited

Network Traffic Signatures
A signature is a set of characters that define network activity, including IP addresses,
Transmission Control Protocol (TCP) flags, and port numbers. It includes a set of rules used to
detect malicious traffic entering a network. Signatures are used to perform the following:

= Raise alerts in the case of unusual traffic on the network.
= |dentify suspicious header characteristics in a packet.

= Configure an intrusion detection system to identify attacks or probes.
= Acquire knowledge on a specific attack that occurred or a vulnerability that can be
exploited.
= Match patterns in a packet analysis.

Type of Signatures
Signatures are classified into two main categories depending on their behavior, as described
below.
= Normal traffic signatures: These include the normal network traffic in the network and
are defined based on a normal traffic baseline for the organization. These signatures do
not contain any malicious patterns and can be allowed to enter the network.

= Attack Signatures: Traffic patterns that appear suspicious are generally treated as attack
signatures. These signatures should not be allowed to enter the network. If allowed,
they often cause a network security breach. These signatures deviate from the normal
signature behavior and should be analyzed.

Module 17 Page 2032 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Baselining Normal Traffic Signatures
O A network baseline is the accepted behavior for normal network traffic.
It is a benchmark to differentiate between normal and suspicious traffic
O Network traffic baselines differ between organizations and change over
time according to the operating environment and prevailing threat
scenario

Some considerations to create a baseline for normal traffic:

= TCP/IP communication involves a three-way handshake for normal
traffic
= ASYN flag appears at the beginning and a FIN flag at the end of a
connection

= All conversations originating inside the demilitarized zone (DMZ) are
trusted traffic items
= Any traffic violating the network policies is malicious traffic; e.g., the
existence of File Transfer Protocol (FTP) traffic when this type is
restricted indicates a potential issue

Baselining Normal Traffic Signatures
A network traffic baseline helps understand the behavioral patterns of a network. It is a
benchmark to differentiate between normal and suspicious traffic. Baselining allows a set of
metrics to monitor network performance. These metrics define the normal working condition
of an enterprise’s network traffic. The network traffic is compared with metrics to detect any
changes in the traffic that could indicate a security issue in the network. A network traffic
baseline establishes the accepted packets that are safe for the organization. Baselining the
traffic facilitates the detection of suspicious activities on the network. Any deviation from the
normal traffic baseline can be considered a suspicious traffic signature. The security
professional should define a network baseline for their organization and validate the traffic
against it. Baselining is more effective if it works in parallel with the organization’s policy. With
the help of normal traffic baselining, security professional can judge the requirements to secure
the network. Network traffic baselines differ between organizations and change over time
according to the operating environment and prevailing threat scenario.

Although, there is no industry standard to measure network traffic performance baselines,
there are network monitoring tools that provide estimates of what type of traffic is normal. A
network traffic baseline should be defined for all incoming, and outgoing Internet traffic and
wide area network (WAN) links. The network traffic baseline should also contain the traffic for
critical business data and backup systems.
= According to a network traffic baseline, normal traffic signatures for TCP packets should
have the following characteristics:

o To establish a three-way handshake, TCP uses SYN, SYN ACK, and ACK bits in every
session.

Module 17 Page 2033 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

o The ACK bit should be set in every packet, except for the initial packet, in which the
SYN bit is set.

o FIN ACK and ACK are used in terminating a connection. PSH FIN and ACK may also be
used initially in the same process.

o RST and RST ACK are used to quickly end an on-going connection.

o During a conversation (after a handshake and before termination), packets only
contain an ACK bit by default. Occasionally, they may also have a PSH or URG bit set.
= A suspicious TCP packet has one or more of the following characteristics:

o If both SYN and FIN bits are set, the TCP packet is illegal.
o SYN FIN PSH, SYN FIN RST, and SIN FIN PSH RST are all variants of SIN FIN. An
attacker sets these additional bits to avoid detection.

o A packet having only a FIN flag is illegal as FIN can be used in network mapping, port
scanning, and other stealth activities.

o Some packets have all six flags unset; these are known as NULL flags and are illegal.

o The source or destination port is zero.
o Ifthe ACK flag is set, then the acknowledgement number should not be zero.
o If a packet has only the SYN bit, which is set at the beginning to establish a
connection, and any other data are present, then it is an illegal packet.
o If the destination address is a broadcast address (ending with 0 or 255), it is an illegal
packet.

o Every TCP packet has two bits reserved for future use. If either or both are set, then
the packet is illegal.
= All conversations originating inside the demilitarized zone (DMZ) are trusted traffic
items.
= Any traffic violating the network policies is malicious traffic, e.g., the existence of File
Transfer Protocol (FTP) traffic when this type is restricted indicates a potential issue.

= Any Dynamic Host Configuration Protocol (DHCP) traffic from unknown DHCP servers
indicates a rogue DHCP server.
= Mail traffic originating in the network but not sent to a mail server is suspect.

= Any DNS traffic not sent to the DNS server is suspect.
= Any outgoing traffic with internal addresses not matching the organization’s address
space may be malicious.

Module 17 Page 2034 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Categories of Suspicious Traffic Signatures

Informational Reconnaissance
Traffic containing certain signatures Traffic containing certain signatures
that may appear suspicious but that indicate an attempt to gain
might not be malicious information

Unauthorized Access E Denial of Service
Traffic containing certain signatures Traffic containing certain signatures
that indicate an attempt to gain that indicate a DoS attempt that
unauthorized access floods a server with a large number
of requests

Categories of Suspicious Traffic Signatures
Network traffic deviating from normal behavior is categorized as a suspicious traffic signature.
It is classified into four categories as follows.
Informational: The informational traffic signature detects normal network activity.
Although it may not appear suspicious, the data gathered through the informational
signature can be used for suspicious activities. For example, informational traffic
signatures may include the following:

o Internet Control Message Protocol (ICMP) echo requests

o TCP connection requests
o User Datagram Protocol (UDP) connections
Reconnaissance: Reconnaissance traffic consists of signatures that indicate an attempt
to scan the network for possible weaknesses. Reconnaissance is an unauthorized
discovery of vulnerabilities, which maps of systems and services. Reconnaissance is also
known as information gathering, and it precedes a network attack in most cases. For
example, reconnaissance traffic signatures may include the following:
o Ping sweep attempts

o Port scan attempts

o Domain Name System (DNS) query attempts
Unauthorized access: Traffic may contain signs of someone attempting to gain
unauthorized access, unauthorized data retrieval, system access or privilege escalation,
etc. An attacker who does not have privileges to access an organization's network

Module 17 Page 2035 Certified Cybersecurity Technician Copyright © by EG-Gouncil
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

usually generates this type of traffic with the intention of capturing sensitive data. For
example, unauthorized access traffic signatures may include the following:
o Password cracking attempts
o Sniffing attempts
o Brute-force attempts
= Denial of service (DoS): This type of traffic may contain a large number of requests from
a single source or multiple sources, which are sent as an attempt to perform a DoS
attack. This type of attack is performed to disrupt the service of the target organization.
For example, DoS traffic signatures may include the following:

o Ping of death attempts
o SYN flood attempts

Module 17 Page 2036 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

Attack Signature Analysis Techniques
Content-based signature analysis Context-based signature analysis
O Attack signatures are contained in packet payloads O Attack signatures are contained in packet headers
QO

[ @9 HEADER | PpAYLOAD |
[ HEADER | @@& PAYLOAD|
O Inspect packets for unusual/suspicious header
O Check for specific strings occurring in the suspicious information such as the following:
payload.
r Source and destination IP addresses
IP options, protocols, and checksums
Source and destination port numbers

‘f
IP fragmentation flags, offset, or identification

‘f
Atomic-signature-based analysis Composite-signature-based analysis

QO Single-packet analysis is sufficient to detect attack Q Multiple-packet analysis is required to detect attack
signatures signatures

| HEADER | PAYLOAD | El
u
HEADER | PAYLOAD ll
ool
HEADER |
:
PAYLOAD I;
H

Copyright ©© by
Copyright by EC
EC cll.L All Rights Reserved, Reproductionis Strictly Prohibited

Attack Signature Analysis Techniques
Attack signature analysis techniques are classified into four different categories as follows.
= Content-based signature analysis: Content-based signatures are detected by analyzing
the data in the payload and matching a text string to a specific set of characters. If
undetected, these signatures can open backdoors in a system, providing administrative
controls to an outsider.
= (Context-based signature analysis: Packets are usually altered using the header
information. Suspicious signatures in the header can include malicious data that can affect
the following:
o Source and destination IP addresses

o Source and destination port numbers

o |P options
o |P protocols

o |P, TCP, and UDP checksums
|IP,

o IP fragmentation flags, offset, or identification

= Atomic-signature-based analysis: To detect an atomic signature, security professionals
need to analyze a single packet to determine whether the signature includes malicious
patterns. Security professionals do not require any knowledge of past or future activities
to detect these signature patterns.

= Composite-signature-based analysis: In contrast to atomic signatures, security
professionals need to analyze a series of packets over a long period of time to detect

Module 17 Page 2037 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Network Traffic Monitoring

composite attack signatures. Detecting these attack patterns is exceedingly difficult. ICMP
flooding is an example of an attack performed using composite signatures. In this attack,
multiple ICMP packets are sent to a single host so that the server remains busy
responding to the requests.
Attacker signatures may be located in either the header or payload of the packet.

Module 17 Page 2038 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.